Re: [Tails-dev] please look at Comparison of Whonix, Tails a…

Delete this message

Reply to this message
Author: adrelanos
Date:  
To: intrigeri
CC: The Tails public development discussion list
Subject: Re: [Tails-dev] please look at Comparison of Whonix, Tails and TBB
intrigeri:
> Hi,
>
> adrelanos wrote (27 Sep 2012 04:27:33 GMT) :
>> I created a Comparison of Whonix, Tails and TBB
>
> Thanks a lot for doing that work!


Thanks for the thorough review!

I think I incorporated all your suggestions. This is of course not final
and I'd change again if anything is still incorrect.

> I must say I'm very happy to see someone explore the gateway /
> workstation design both practically and theoretically -- we still have
> not made up our mind on that one within Tails, and current hardware is
> probably not ready for it yet in a Live system setting, but I do
> believe that the work that happens on this topic in Whonix today will
> benefit Tails in the future.


Nice to be of service. :)

There is a another research project ongoing (for Tails ;). Qubes OS with
a strong security by isolation concept. Got so far very good feedback.

http://qubes-os.org/

Offers much stronger protections than Virtual Box. After a quick look,
Tor isolation is also good.

http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html

Disadvantages are, that it does not run on top of Debian. Ok, not a
"real" disadvantage but hard if you are accustomed to Debian. It's a
complete operating system, they say more like a Xen distribution with
Fedora. And it has even higher hardware requirements.

http://wiki.qubes-os.org/trac/wiki/HCL

>> If there is anything wrong, I'll correct it right away.
>
> Generally, I found this comparison just fine, but perhaps a tiny bit
> too simplistic, and unfortunately it looks like those simplifications
> always happen in the same way: e.g.


> for "Protection against root
> exploits", Whonix gets a Yes, Tails gets a No... and one has to read
> the footnote to understand this is about root exploits in
> Whonix-Workstation only. See what I mean? I acknowledge it's probably
> much harder to root the Whonix-Gateway than Tails, but still...


That is now hopefully clarified.

> Another similar occurrence is the "Amnesic" security property
> comparison. I find it misleading to state that it is an "Optional
> Feature" (via VM snapshots, pointing to a barely documented process)
> in Whonix, and a Yes in Tails, as if it was the same kind of amnesia.
> For the former, it's "let's hope the host OS won't write my secrets to
> disk", right? While for the latter, it's a basic design principle,
> that I think is pretty well enforced. Feel free to tell me I should
> read the Whonix design doc, if I'm totally wrong on that one :)


Fixed.

> About "IP/DNS protocol leak protection" and "Icedove (Thunderbird)
> leaks the real IP address": I do acknowledge the Whonix way (the
> workstation apps don't know the IP address at all) gives additional
> by-design protection, but please make it clear that such leaks are
> made now waaay less likely in Tails since we dropped
> transparent torification.


Fixed.

> More generally, I suggest that you define the compared security
> properties next to the comparison tables, else I already imagine less
> technical users, reading that Tails gets a No for "Hides hardware
> serials", conclude that Tails sends hardware serials over the Internet
> by default, and go crazy on our web forum. I'd rather avoid that.


It should now be clarified.

>> ^2^ In case Tails gets rooted, the adversary can simply run ifconfig
>> and see the user's IP. Or he could tamper with firewall rules and
>> bypass them.
>
> I'm not sure how useful it is to mention the ifconfig trick, given
> 1. it's a bit misleading to put it like that, as in most cases, it
>    will provide a mostly useless RFC-1918 address


Agreed and therefore removed it.

> 2. the second attack (breaking the firewall) is easy and always works.


Improved that.

> About "pidgin leaks the real IP": it would be very nice of you to
> mention that this bug only existed in Git, and no released version of
> amnesia was affected.



Added.

> Second, I've not studied all of Whonix design
> doc yet, so I beg your pardon if my question is naive: in case the
> Whonix gateway's firewall was not started / erroneously configured due
> to some tiny studid mistake (like the one that amnesia bug was about),
> what prevents Whonix workstation from connecting "in the clear" to the
> Internet (without going through Tor)?


Gateway has two (virtual) networks cards.
eth0 for connecting to the internet
eth1 is an isolated internal network to the Workstation

The Workstation has only one (virtual) network card.
eth0 for connecting to the isolated internal network to the Gateway.

ip-forwarding and ipv6 disabled in kernel.

A mistake in the firewall rules will prevent the eth0 interface from
getting up, since the firewall is started with pre-up.

https://github.com/adrelanos/Whonix/blob/master/whonix_gateway/usr/local/bin/whonix_firewall
https://github.com/adrelanos/Whonix/blob/master/whonix_gateway/etc/network/interfaces

Even if there were no firewall at all on the Gateway, only Tor's Ports
would listen on eth1. And without Tor being down, nothing would listen
on eth1. The Workstation could only ping the Gateway, but the Gateway
would never forward any traffic for the Workstation.

> OT, but on the same giant page: the "Squeeze only contains Tor
> 0.2.2 while Wheezy contains Tor 0.2.3" argument in favor of using
> Debian testing is a bit feable, considering weasel maintains backports
> of 0.2.3 in TTP's APT repository.


Also agreed with that and therefore removed that part.

> OT too: I've got a feeling that you will soon join my efforts to
> improve AppArmor support in Debian :)


I didn't have that it mind. Last time I experimented with AppArmor, I
didn't feel talented.

Cheers,
adrelanos